Download GNU package, verify GPG signature and generate content for binary_hashes.

get_gnu_package.sh

#!/bin/bash

#
# Gets a GNU software package from GNU and verifies signature with GPG
#
#  Author: Trevor Cooper <[email protected]>
# Twitter: @HPCDevOps
#  GitHub: https://github.com/tcooper
#

if [ "$#" == "0" ]; then
    echo "You must provide the name of the GNU package as an input."
    exit 1
fi

ROOTDIR=`pwd`
URL_BASE=http://ftp.gnu.org/gnu
PKG=$1
PKG_SIG=$1.sig
PKG_NAME=`echo $PKG | cut -d\- -f1`
PKG_DIR=$PKG_NAME/`basename ${PKG} .tar.gz`
KEYRING=gnu-keyring.gpg

# Download package...
if [ ! -f "${ROOTDIR}/${PKG}" ];
then
	echo -n "Downloading ${URL_BASE}/${PKG_DIR}/${PKG}... "
	curl -f -s -LO "${URL_BASE}/${PKG_DIR}/${PKG}"
	# Handle curl error(s)
	ret_code_pkg=$?
	if [ $ret_code_pkg != 0 ];
	then
		echo "FAILED ($ret_code_pkg)"
		echo -n "Attempting to download ${URL_BASE}/${PKG_NAME}/${PKG}... "
		curl -f -s -LO "${URL_BASE}/${PKG_NAME}/${PKG}"
		ret_code_pkg_2=$?
		if [ $ret_code_pkg_2 != 0 ];
		then
			echo "FAILED ($ret_code_pkg_2). Exiting"
			exit $ret_code_pkg_2
		else
			echo "SUCCESS"
		fi
	else
		echo "SUCCESS"
	fi
fi

# Download signature...
if [ ! -f "${ROOTDIR}/${PKG_SIG}" ];
then
	# Download package signature
	echo -n "Downloading ${URL_BASE}/${PKG_DIR}/${PKG_SIG}... "
	curl -f -s -LO "${URL_BASE}/${PKG_DIR}/${PKG_SIG}"
	ret_code_sig=$?
	if [ $ret_code_sig != 0 ]; then
		echo "FAILED ($ret_code_sig)"
		echo -n "Attempting download of ${URL_BASE}/${PKG_NAME}/${PKG_SIG}... "
		curl -f -s -LO "${URL_BASE}/${PKG_NAME}/${PKG_SIG}"
		ret_code_sig_2=$?
		if [ $ret_code_sig_2 != 0 ]; then
			echo "FAILED ($ret_code_sig_2). Exiting."
			exit $ret_code_sig_2
		else
			echo "SUCCESS"
		fi
	else
		echo "SUCCESS"
	fi
fi

# Download package keyring...
if [ ! -f "${ROOTDIR}/${KEYRING}" ];
then
	echo -n "Downloading ${URL_BASE}/${KEYRING}... "
	curl -f -s -LO "${URL_BASE}/${KEYRING}"
	ret_code_kr=$?
	if [ $ret_code_kr != 0 ]; then
		echo "FAILED ($ret_code_kr). Exiting..."
		exit $ret_code_kr
	else
		echo "SUCCESS"
	fi
fi

# Verify signature...
if [ -f "${ROOTDIR}/${PKG}" ] && [ -f "${ROOTDIR}/${PKG_SIG}" ] && [ -f "${ROOTDIR}/${KEYRING}" ]; then
	# Verify package signature
	echo -n "Verifying package signature... "
	gpg2 --no-default-keyring --keyring "${ROOTDIR}/${KEYRING}" --verify "${ROOTDIR}/${PKG_SIG}" 2>/dev/null
	ret_code_ver=$?
	if [ $ret_code_ver != 0 ]; then
		# Some signatures are not in the 'standard' keyring. Attempt to pull from keyserver...
		echo "FAILED ($ret_code_ver)"
		echo -n "Attempting to import key ID "
		KEYID=`gpg2 --no-default-keyring --keyring "${ROOTDIR}/${KEYRING}" --verify "${ROOTDIR}/${PKG_SIG}" 2>&1 | grep ID | awk '{print $14}'`
		echo "$KEYID from keyserver... "
		TMPKEYRING=${PKG_NAME}-keyring.gpg
		gpg2 --no-default-keyring --keyring "./${TMPKEYRING}" --keyserver "hkp://keys.gnupg.net" --search-keys "0x${KEYID}"
		ret_code_imp=$?
		# For some reason the return code for gpg2 when importing successfully is NOT 0
		#if [ $ret_code_imp != 0 ]; then
		#	echo "FAILED ($ret_code_imp). Exiting."
		#	exit $ret_code_imp;
		#else
			if [ -f "./${TMPKEYRING}" ]; then
				# Verify package signature with imported key
				echo -n "Verifying package signature... "
				gpg2 --no-default-keyring --keyring "./${TMPKEYRING}" --verify "${ROOTDIR}/${PKG_SIG}" 2>/dev/null
				ret_code_ver_2=$?
				if [ $ret_code_ver_2 != 0 ]; then
					echo "FAILED ($ret_code_ver_2). Exiting."
					exit $ret_code_ver_2
				else
					echo "SUCCESS"
				fi
			fi
		#fi
	else
		echo "SUCCESS"
	fi
fi

# Generate binary_hash for roll binary_hashes file
OBJ=$PKG
if [ -f "${OBJ}" ]; then
	echo "Generating binary_hash... "
	echo ""
	OBJ_SIZE=`ls -l ${PKG} | awk '{print $5}'`
	OBJ_HASH=`git hash-object -t blob ${OBJ}`
	OBJ_NAME=${OBJ}	
	printf "%15d  %40s  %s\n" $OBJ_SIZE $OBJ_HASH $OBJ_NAME
	echo ""
fi

exit 0